Behind the scenes of the investigation: Heists Worth Billions

David Maimon’s cybersecurity research group noticed a flood of checks in underground markets, which opened a window into much broader criminal activity. Collage by Kimberly Patch

Professor David Maimon is director of the Evidence-Based Cybersecurity Research Group at Georgia State University.

He and his group are well familiar with what happens on the dark web, which consists of websites that look like ordinary websites but can be reached only using special browsers or authorization codes and are often used to sell illegal commodities.

In this behind-the-story video, Maimon shows some of the hundreds of thousands of bank-related images that he and his team have collected from the dark web and text message applications, and the research these discoveries spurred them to do. That research sparked the investigative story Heists Worth Billions, which Maimon teamed up to write with The Conversation’s senior investigative editor Kurt Eichenwald. Here’s how Maimon and colleagues uncovered the crimes, and his remarks from a follow-up interview.

Maimon’s group was monitoring images posted on the dark web when it found the initial clues that something big was afoot.

My group and I spend a lot of time on underground markets in which criminals sell all kinds of illicit commodities. We see a lot of counterfeit products. We see a lot of identities. And in mid-2021 we started to see a lot of checks flooding the markets.

Those checks led us down a path where we realized that thousands of sham bank accounts were being created to steal and launder money.

The group’s first realization was about the volume of deposits.

Folks were using multiple accounts simultaneously to deposit the high volume of checks. They were simply purchasing from the markets and depositing on different accounts.

For example, three checks would be deposited into three different bank accounts by a single criminal.

Group members connected another clue that showed them how the criminals were getting access to multiple accounts.

We saw numerous debit cards and realized that the criminals were using those debit cards to deposit all the checks they stole or purchased.

Then, in June 2022, the group made a key observation.

Criminals were posting screenshots from bank accounts with balances showing zero.

We realized that these screenshots of zero-balance bank accounts were advertisements – they were selling bank accounts that had zero balances.

This led the group to an investigation.

Over six months we tracked a single criminal, counting the number of images of credit cards and the number of screenshots of bank accounts showing zero balances that he posted.

We’re seeing this increasing trend from one single actor and, of course, being out there in the ecosystem, we are able to see more and more copycats: more and more folks like the individual we’re monitoring, offering their services.

And a conclusion about what allowed this to happen.

If a criminal opens a credit card under someone else’s name, when the person realizes something is wrong and freezes the credit card, the criminal can’t use that identity anymore.

But with bank accounts, it’s a different story, because the credit freeze does not affect your ability to establish a new bank account under someone else’s name.

Maimon gives some advice on how to protect your identity.

Make sure you freeze your credit. Make sure you purchase some kind of identity theft protection plan, which will alert you every time someone is using your identity. And simply monitor your bank account on a daily basis, monitor your credit card.

Freezing your credit ensures that no one can access your credit report unless you actively lift the freeze.

He talks about what’s next for his research group.

We’re trying to understand how all those identities are actually being used in the context of money laundering and, more specifically, sports betting.

And he sounds the alarm.

This is a serious problem that is largely being ignored. It’s our hope that exposing the magnitude of this will help spur action, because far too many people are losing far too much money to this type of crime.


Graphic showing a masked criminal on a stamp and saying 'Heists worth billions'

This article accompanies Heists Worth Billions, an investigation from The Conversation that found criminal gangs using sham bank accounts and secret online marketplaces to steal from almost anyone – and uncovered just how little being done to combat the fraud.

How to protect yourself from drop account fraud – tips from our investigative unit.

Announcing The Conversation’s new investigative unit

The Conversation

David Maimon receives funding from the National Science Foundation, the Criminal Investigations and Network Analysis Center at George Mason University, and other private grants which support the Evidence Based Cybersecurity research group.